If you're conscious of your own digital security in the modern era, then odds are you use two/multi-factor authentication to secure your more important accounts, but not all methods are equal. If you're especially concerned about privacy or in a "high value" position, in security terms, hardware-based keys are the better choice, as they offer additional protections against things like phishing attacks. And starting today, those invested heavily into Google's ecosystem can pick up the previously announced Titan Security Keys over on the Google Store.
According to research by Verizon, we're generally bad at picking and reusing passwords. To help, Google crawls online for dumps of stolen passwords and notifies its users to change them if it notices any that overlap — enhancing security for over 67 million accounts so far. The company also claims its defenses are able to catch 99.9% of stolen credential use, but even with all these improvements, 2FA offers even greater protections. Just earlier this year, Google revealed that not one of its employees was successfully phished since switching to security keys (similar to these new Titan Security Keys).
The new $50 Titan Security Key set is actually two keys: one with NFC and Bluetooth LE for wireless use, and a USB-A/NFC backup. The wireless unit has 6-month battery life at ~3 "touches" per month, and Google says that most people won't need to charge it (via micro USB) more than once or twice a year. In more technical security details, the keys use the U2F standard (not FIDO2). They'll work with pretty much every Google service in Chrome, Android, and Chrome OS as well as other services and apps like Dropbox, Facebook, GitHub, Salesforce, Twitter, and anywhere that FIDO security keys are supported.
Individual customers using the keys will end up joining Google's Advanced Protection program, though Google Cloud and other commercial-scale customers can choose their own deployment details. (More information on precisely what that means can be found at the bottom of the relevant page in an FAQ, as well as an exploration in our upcoming review.)
If you think that the two devices look identical to a pair of products by Feitian, it's possible that it is the OEM. A representative speaking on behalf of Google told us that "Google is the manufacturer of record and we contact a third party to produce the keys."
Should Bluetooth-based security be a concern in the back of your mind, Google would like to assure you that it shouldn't be. Some of us may remember when Yubico, another big name in security keys, went on record with its own statement about Google's upcoming product, questioning its security and user experience:
Google’s offering includes a Bluetooth (BLE) capable key. While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability. BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience.
When asked, a representative at Google refuted that security and usability would be concerns with the Titan Security Keys, saying that the use of Bluetooth had been standardized by the entire FIDO alliance, and while there is always a trade-off in usability and security, Google believes the risk is acceptable for enhanced comfort.
The keys are available on the Google Store for those in the US starting today, with other regions coming soon. For more detailed information about the Titan Security Key (and an in-depth explanation of the advantages of a hardware security key), keep an eye out for our upcoming review.